The new features and enhancements available in this release
are listed here.
- Multiple security domain support
- In virtual member manager version 8.0, you can configure a separate
instance of virtual member manager for each security domain in a multiple
security domain environment.
- Flexible administration
- In the flexible administration mode, you can have different virtual
member manager configurations for administrative agent and subsystems,
including a combination of both virtual member manager repositories
and non-virtual member manager repositories. The administrative agent
JVM can host multiple instances of virtual member manager, one per
subsystem that has virtual member manager as the active user registry.
For more information, read about Configuring job managers and Managing administrative jobs using wsadmin scripting in
the WebSphere® Application
Server information center.
- Federated repository management rights
You can map users and groups to roles for assigning federated
repository management rights. Read about the predefined roles and
their permissions in the topic, Providing security, in the virtual
member manager documentation.
The following wsadmin commands
enable users who are not WebSphere Application
Server administrators to access the virtual member manager application
programming interface (API) methods. You can use the following commands
to assign users and groups to a predefined virtual member manager
role:
- mapIdMgrUserToRole
- mapIdMgrGroupToRole
- removeIdMgrUsersFromRole
- removeIdMgrGroupsFromRole
- listIdMgrUsersForRoles
For more information, read about using these commands in the
topic, IdMgrConfig command group for the AdminTask object in
the WebSphere Application
Server information center.
- changeMyPassword command
- A wsadmin command is provided, which allows you to change your
password when you are logged in to WebSphere Application
Server, regardless of the WebSphere Application Server role you are
assigned. For detailed information of the command parameters and examples,
read about the changeMyPassword command in the
topic, WIMManagementCommands command group for the AdminTask
object in the WebSphere Application
Server information center.
- SAF mapping module logging
- To enable logging for the SAF mapping module, you must set debugEnabled=false in
the code and specify a custom property through the administrative
console. The steps are listed in the topic (step 5), Configuring a custom System Authorization Facility
(SAF) mapping module for federated repositories in the WebSphere Application Server
information center.
- Default LDAP configuration settings for Microsoft Active Directory
- In virtual member manager version 8.0, the following default LDAP
configuration settings for Microsoft Active Directory have been changed:
- The default value of membership attribute for users is "memberOf".
This is used when searching for groups to which a user belongs.
- The default value of user search filter for Active Directory is
"(ObjectCategory=User)".
- Default value of cache distribution policy (dynacache)
- The default value of cacheDistPolicy property
is none. In releases prior to version 8.0, the default
value was push.
- This default value also applies when you use the setIdMgrLDAPAttrCache, setIdMgrLDAPSearchResultCache, updateIdMgrLDAPAttrCache,
and updateIdMgrLDAPSearchResultCache wsadmin commands.
- Support for user-defined schema
- You can specify a user-defined database schema where you want
to create the federated repository tables. Use the dbSchema parameter
and the tablespacePrefix parameter (tablespacePrefix
is for DB2 for z/OS only) with the following wsadmin commands:
- setupIdMgrDBTables
- setupIdMgrPropertyExtensionRepositoryTables
- setupIdMgrEntryMappingRepositoryTables
- deleteIdMgrDBTables
- deleteIdMgrPropertyExtensionRepositoryTables
- deleteIdMgrEntryMappingRepositoryTables
- createIdMgrDBRepository
- updateIdMgrDBRepository
- setIdMgrEntryMappingRepository
- setIdMgrPropertyExtensionRepository
- For more information see the following topics in the WebSphere Application Server information
center:
- For specifying a user-defined database schema during manual setup
of federated repository tables, see the following topics:
- Support for user-defined bufferpools (DB2 for z/OS only)
- You can specify user-defined bufferpools when creating the federated
repository tables on DB2 for z/OS. Use the tablesBufferPool, LOBtablesBufferPool,
and indextablesBufferPool parameters with the
following wsadmin commands:
- setupIdMgrDBTables
- setupIdMgrPropertyExtensionRepositoryTables
- setupIdMgrEntryMappingRepositoryTables (only
tablesBufferPool)
- For more information see the topic, Setting up an entry mapping repository, a property
extension repository, or a custom registry database repository using
wsadmin commands in the WebSphere Application
Server information center.
- For specifying user-defined bufferpools during manual setup of
federated repository tables, see the topic, Manually setting up the property extension repository
for DB2 for iSeries or DB2 for z/OS.
Repository adapter cache
- You can clear the repository adapter cache by using the following
commands:
You can also use the
clearCache parameter
with the following commands to clear the repository adapter cache:
To programmatically clear the repository adapter cache,
you can use the CacheControl DataObject.
Virtual member manager schema information
- You can retrieve virtual member member manager schema information
by using the following commands:
- getIdMgrSupportedDataTypes
- getIdMgrPropertySchema
- getIdMgrEntityTypeSchema
For more information about these commands, see the topics IdMgrDataModel command group for the AdminTask object and WIMManagementCommands command group for the AdminTask
object in the WebSphere Application Server information center.
Default parent of realm
- You can use the following commands to set, modify, retrieve, or
delete the default parent for an entity type in a specified realm:
- setIdMgrRealmDefaultParent
- listIdMgrRealmDefaultParents
- deleteIdMgrRealmDefaultParent
Client certificate login support for file repository
- You can enable support for client certificate login in a realm
configured with a single built-in file-based repository or a multiple
repository configuration that includes the file-based repository and
other repositories. The default configuration of the file based repository
ignores a certificate login request, returns an empty search result,
and does not display any error. To enable support for certificate
mapping in the file-based repository, install WebSphere Application
Server fixpack version 8.0.0.4 or higher, and follow the procedure
in the topic, Enabling client certificate login support for a file-based
repository in federated repositories
- Documentation enhancements
To help programmers who are developing virtual member manager
applications, sample code for using virtual member manager APIs in
various scenarios are provided under the section, Integrating virtual member manager into your application.
Performance benchmarking
results of startup time and memory footprint for virtual member manager
8.0 as compared with the previous version 7.0 is documented at Performance benchmark for virtual member manager.